Russian Hack Attack on Banks: Is This the Big One?

JPMorgan Chase and at least four other US banks have been hit by a series of coordinated attacks on account information. Was it inevitable?

It's likely that the mainstream news media talking heads were the only people who were shocked by the news that at least five US banks -- including JPMorgan Chase, the only institution identified so far -- have been cyberattacked in the past month, apparently by Russian hackers. Financial services industry professionals and industry observers are well aware that banks are ongoing targets for fraud and cybercrime. As JPMorgan Chase spokesperson Patricia Wexler told The New York Times: "Companies of our size unfortunately experience cyberattacks nearly every day. We have multiple layers of defense to counteract any threats and constantly monitor fraud levels."

Right now, it's not clear (well, at least the public statements say it's not clear) whether the motive behind the attacks is theft, disruption, or both, and the FBI reportedly is investigating these options. There's speculation that the Russian government could be sponsoring the attacks in retaliation for US sanctions imposed in response to the crisis in the Ukraine. According to a report from Bloomberg, which broke the news of the attacks:

The sophistication of the attack and technical indicators extracted from the banks' computers provide some evidence of a government link. Still, the trail is muddy enough that investigators are considering the possibility that it's cyber criminals from Russia or elsewhere in Eastern Europe. Other federal agencies, including the National Security Agency, are now aiding the investigation, a third person familiar with the probe said.

The scope of the attacks is big enough that they are getting widespread coverage, but it remains to be seen if these are the "big ones" that the financial services industry knows are inevitable. Unlike account theft such as the Target card breach, where it appears that company procedures and protections may not have been as aggressive as they should have been, these kinds of cyberattacks probably have little to do with exploiting suspected weaknesses in bank security. As Wexler said, the banking industry constantly must deal with these kinds of threats, takes them extremely seriously, and has made huge investments in systems, infrastructure, training, and process to fend off these assaults.

However, these latest attacks are likely to fuel more calls and efforts for regulation that requires banks to provide (theoretically) stronger security and improved privacy protections. This has been a topic of discussion on Bank Systems & Technology message boards recently, even before the revelation of this latest round of attacks. As Brian Maccaba, CEO of the application security firm Waratek, observed in a comment on Wednesday:

Regulation of security for financial institutions is reminiscent of the debate on risk management and capital adequacy over the past decade. Lengthy debates ultimately gave way to a mix of increased regulation for all, together with significantly more sophisticated methodologies being adopted by the leading international players.

The collapse of Lehman and financial meltdown in 2008 has led to significantly increased and more specific regulatory requirements. A serious cyber security breach at a major financial institution would probably have a similar effect.

No doubt there will be an orgy of finger pointing (sorry for the mixed metaphors), at least among politicians and some in the news media, regarding who's to blame for these attacks, what the response should be, and what can be done to prevent assaults. How do you think this will play out?

Dr. John Bates made a list of predictions for the financial markets on WS&T and within a month saw nearly all of them fulfilled. Kathy, watch your words, UBM Tech community members are displaying a disturbing fortune telling talents...

You make a good point, and I am sure insurance security teams are paying close attention and getting involved in these reinforcement conversations.

Dr. John Bates made a list of predictions for the financial markets on WS&T and within a month saw nearly all of them fulfilled. Kathy, watch your words, UBM Tech community members are displaying a disturbing fortune telling talents...

You make a good point, and I am sure insurance security teams are paying close attention and getting involved in these reinforcement conversations.

Great point. I think, on the heels of this "big one," the media will be sniffing around for the next attack to report on, even a minor one that would usually go unmentioned. It will be an interesting next few months.

You'll be even more scared when you consider that insurance companies probably are next in line for cyber attacks. As the banking industry reinforces its defenses, the fraudsters are likely to look for the next "easy" financial services target. Insurers should be taking these development very seriously.

I remember going to an Ernst & Young summit on cybersecurity in the last couple of years, and one of the security experts said only a fraction of the attacks on banks are actually reported in the news media. They're pretty much being targeted every second of the day, at least the big ones. So this is an issue that will not be going away anytime soon.